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Agenda 


Tuesday.  April  8 


DOD  Keynote  Address-  DOD  Support  to  Preparedness  &  Response 

Mr.  Peter  F.  Verga,  Principal  Deputy  Assistant  Secretary  of  Defense,  Homeland  Defense  and  Americas’  Security  Affairs 

Cyber  Security  and  Information  Assurance 

Lieutenant  General  Robert  J.  Elder,  USAF,  Joint  Functional  Component  Commander  for  Global  Strike  and  Integration,  U.S.  Strategic  Command 

“The  Business  of  Vulnerabilities-  How  Economics  is  Driving  Cyber  Threats  to  Infrastructure” 

Mr.  Aaron  Turner,  Cyber  Security  Strategist,  Idaho  National  Laboratory 

“Cyber  Security  Overview  &  Update... The  State  of  U.S.  Cyber  Security”  Mr.  Richard  Hale,  Chief  Information  Assurance  Executive,  DISA 
Panel-  Cyber  Security;  Industry  and  Government  Best  Practices 

Moderator:  Mr.  Rick  Anderson,  Deputy  Director,  Defense  Industrial  Base  Cyber  Security  Task  Force 

Panel: 

Supply  Chain/Response  Management 

Mr.  John  Rank,  Vice  President,  Supply  Chain,  General  Dynamics 


Wednesday.  April  9 


Intelligence  &  Threat  Warning;  Opportunities  For  Public/Private  Partnerships 

Mr.  Ronald  T.  “Rudy”  Guerin,  Executive  Vice  President,  Pamir  Resources  &  Consulting,  Inc. 

Panel  -  Improving  the  Sharing  and  Reliability  of  Public  and  Private  Threat  and  Hazard  Information 
Moderator:  Mr.  Steve  Lines,  Director,  Information  Assurance,  SAIC 
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Monday,  April  7 

2:00pm  -  5:00pm 
5:00pm  -  6:30pm 
5:00pm  -  6:30pm 

Tuesday,  April  8 

7:00am  -  8:00am 
8:00am 

8:15am 

8:30am 

9:15am 

10:00am 

10:00am  -  6:00pm 
10:15am 

10:45am 

11:30am 


CIPAC  Meeting  (Invitation  Only) 

DIB  CIP  Exhibits  Open 
Registration  and  Reception  (Cash  Bar) 


Registration  and  Continental  Breakfast 
Welcoming  Remarks 

MG  Barry  D.  Bates,  USA  (Ret),  Vice  President-Operations,  NDIA 

Conference  Overview  and  Objectives 

Mr.  Antwane  Johnson,  Director,  Critical  Infrastructure  Protection,  OASD 
(HD&ASA) 

DOD  Keynote  Address-  DOD  Support  to  Preparedness  &  Response 

Mr.  Peter  F.  Verga,  Principal  Deputy  Assistant  Secretary  of  Defense,  Homeland 
Defense  and  Americas’  Security  Affairs 

Cyber  Security  and  Information  Assurance 

Lieutenant  General  Robert  J.  Elder,  USAF,  Joint  Functional  Component 
Commander  for  Global  Strike  and  Integration,  U.S.  Strategic  Command 

Break  in  Exhibits  Area 

Exhibits  Open 

“The  Business  of  Vulnerabilities-  How  Economics  is  Driving  Cyber  Threats 
to  Infrastructure” 

Mr.  Aaron  Turner,  Cyber  Security  Strategist,  Idaho  National  Laboratory 

“Cyber  Security  Overview  &  Update.  ..The  State  of  U.S.  Cyber  Security” 

Mr.  Richard  Hale,  Chief  Information  Assurance  Executive,  DIS  A 

Panel-  Cyber  Security;  Industry  and  Government  Best  Practices 
Moderator:  Mr.  Rick  Anderson,  Deputy  Director,  Defense  Industrial  Base 
Cyber  Security  Task  Force 

Panel: 

•  Mr.  Jerry  Cochran,  Principal  Security  Strategist,  Trustworthy 
Computing/CIP,  Microsoft  Corporation 

•  Mr.  Tommy  Augustsson,  Vice  President,  Information  Technology, 
General  Dynamics  Corporation 

•  Mr.  Richard  Hale,  Chief  Information  Assurance  Executive,  DISA 

•  Dr.  Mark  Thomas,  Senior  Advisor,  Defense  Industrial  Base  Task 
Force 


12:30pm 

2:00pm 

2:45pm 

3:00pm 


4:30pm 

4:30pm  -  6:00pm 

Wednesday,  April  9 

7:00am  -  8:00am 
8:00am 

8:15am 

9:00am 

9:45am 

9:45am  -  2:20pm 
10:15am 


Lunch 

Supply  Chain/Response  Management 

Mr.  John  Rank,  Vice  President,  Supply  Chain,  General  Dynamics 

Break  in  Exhibits  Area 

Panel-  Supply  Chain/RM;  Global  Supply  Chain  Vulnerability  and  Security 
Issues 

Moderator:  Robert  Connors,  CBCP,  MBCI,  Director,  Preparedness,  Raytheon 
Company 

Panel: 

•  Mr.  William  Osborne,  Director,  Engineering  and  Network  Systems, 
General  Dynamics  Corporation 

•  Mr.  Gene  Tyndall,  President,  Supply  Chain  Executive  Advisors 

•  Mr.  Caleb  Jones,  Assistant  Vice  president,  Risk  Management,  Alion 
Science  and  Technology 

•  Mr.  Sydney  Pope,  Industrial  Policy  Advocate,  Electronic  Systems 
and  Information  Technologies,  ODUSD  (Industrial  Policy) 

Session  Wrap-up  and  Closing  Remarks 

Hosted  Reception  in  the  Exhibits  Area 


Registration  and  Continental  Breakfast 
Welcoming  Remarks 

MG  Barry  D.  Bates,  USA  (Ret),  Vice  President-Operations,  NDIA 

Industry  Keynote  Address  -  A  Corporate-Wide  View  to  Security  and 
Business  Continuity 

Mr.  Stephen  Colo,  Senior  Vice  President  and  Chief  Security  Officer,  SAIC 

Intelligence  &  Threat  Warning:  Combating  the  Insider  Threat  (Physical, 
Personnel,  Procedural  and  Information  Systems) 

Lieutenant  General  Patrick  Hughes,  USA  (Ret),  Vice  President  Intelligence  and 
Counterintelligence,  L3-Communications 

Break  in  Exhibits  Area 

Exhibits  Open 

Intelligence  &  Threat  Warning;  Opportunities  For  Public/Private 
Partnerships 

Mr.  Ronald  T.  “Rudy”  Guerin,  Executive  Vice  President,  Pamir  Resources  & 
Consulting,  Inc. 


11:00am 


Panel  -  Improving  the  Sharing  and  Reliability  of  Public  and  Private  Threat 
and  Hazard  Information 


Moderator:  Mr.  Steve  Lines,  Director,  Information  Assurance,  SAIC 


12:15pm 

2:15pm 

2:20pm 


Panel: 

•  Mr.  Ray  Musser,  Director,  Corporate  Security,  General  Dynamics 
Corporation 

•  Special  Agent  Chuck  Frahm,  Deputy  Assistant  Director,  FBI 

•  Mr.  Vince  Jarvie,  Vice-President,  Corporate  Security,  L-3 
Communications 

•  Mr.  Steve  Shirley,  Executive  Director,  Defense  Cyber  Crime  Center 
(DC3) 

Lunch  Presentation 

Mr.  Robert  Stephan,  Assistant  Secretary  for  Infrastructure  Protection,  DHS 

Session  Wrap-up  and  Closing  Remarks 

MG  Barry  D.  Bates,  USA  (Ret),  Vice  President  -Operations,  NDIA 

Conference  Wrap  up 

Mr.  Peter  F.  Verga,  Principal  Deputy  Assistant  Secretary  of  Defense,  Homeland 
Defense  and  Americas’  Security  Affairs 


National  Strategy  for  Homeland  Security 

Letter,  Oct  5,  2007  -  New  Emphasis  on  Cyber  Security 


-POTUS 


POLICY 


□  A  variety  of  actors  threaten  the  security  of  our  cyber  infrastructure. 

Terrorists  increasingly  exploit  the  Internet  to  communicate , 
proselytize ,  recruit,  raise  funds,  and  conduct  training  and 
operational  planning.  Hostile  foreign  governments  have  the 
technical  and  financial  resources  to  support  advanced  network 
exploitation  and  launch  attacks  on  the  informational  and 
physical  elements  of  our  cyber  infrastructure. 


□  In  order  to  secure  our  cyber  infrastructure  against  these  man-made 
and  natural  threats,  our  Federal,  State,  and  local  governments, 
along  with  the  private  sector,  are  working  together  to  prevent 
damage  to,  and  the  unauthorized  use  and  exploitation  of,  our 
cyber  systems. 


Cyber  Security;  Government  and  Industry 
Best  Practices  Panel  Members 


POLICY 


Dr.  Tommy  Augustsson,  CIO  General  Dynamics, 

tauqusts@qeneraldynamics.com,  703-876-3473 


Mr.  Jerry  Cochran,  Principal  Security  Strategist,  Microsoft 

Jerry.Cochran@microsoft.com 


Mr.  Richard  Hale,  Chief  Information  Assurance  Executive,  DISA 

Richard.hale@disa.mil  703-882-1500 


Dr.  Mark  Thomas,  Senior  Advisor,  Army  DIB  Task  Force 

Mark.Thomas2@us.army.mil  703-697-9424 


Mr.  L.  Rick  Anderson,  Dep,  Dir  DIB  Cyber  Security  Task  Force 

703-604-5523,  ext  123 
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Cyber  Security;  Government  and  Industry 

Best  Practices  Panel 


What  are  some  of  the  major  partnership  challenges 
between  DOD  and  Industry  as  related  to  cyber  security 
info  sharing  and  reporting?  Provide  possible  or  proven 
solutions  if  applicable  (e.g.,  technology,  procedural, 
regulatory,  etc...). 
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Headquarters  Eighth  Air  Force 


Integrity  -  Service  -  Excellence 


Cyber  Domain 
Protection  and  the 
National  Defense 


NDIA  Defense  CIP 
Conference  2008 


14-Apr-08 


This  Briefing  is: 

UNCLASSIFIED 


Lt  Gen  Bob  Elder 
8  April  2008 
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Cyber  Domain  Global  Impact 


THREATS 

■  today,  when  individuals  can  easily  access  all  the 
tools  of  collaboration  and  superempower  themselves, 
or  their  small  cells,  individuals  do  not  need  to  control 
a  country  to  threaten  large  numbers  of  people.” 

OPPORTUNITIES 

■  “We  need  to  think  more  seriously  than  ever  about  how 
we  encourage  people  to  focus  on  productive 
outcomes  that  advance  and  unite  civilization.” 

From  The  World  is  Flat,  Thomas  L.  Friedman 


14-Apr-08 


Fly  -  Fight  -  Win 
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Estonia 


“IMAGINE  that  agents  of  a  hostile  power,  working  in 
conjunction  with  organised  crime,  could  ...  paralyse 
business,  the  media,  government  and  public  services, 
and  cut  you  off  from  the  world.  That  would  be  seen  as  a 
grave  risk  to  national  security,  surely?” 


-  Peter  Schrank,  on  in  “The  Economist,”  May  07 


14-Apr-08 


Fly  -  Fight  -  Win 


Increased  Commercial  Use  of  Cyber 


■  Communication  &  Information  Sharing 

■  Social  Networking 

■  Production  Controls 

■  Education  and  Creativity 

■  Productivity  Enhancement 

■  Navigation 

■  e-Commerce  (and  e-Barter) 

■  Banking  &  Finance 

■  Entertainment 


Lessons  from  9-1 1 , 
Hurricane  Katrina: 

We  are  increasingly 
dependent  on  cyber 
use  for  business, 
public  safety,  and 
daily  life 
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Cyber  Criminal  Activities 


Rank 

Item 

Percentage 

Price  Range 

1 

Credit  Cards 

22% 

$0.50-$5 

2 

Bank  Accounts 

21% 

$30-$400 

3 

E-mail  Passwords 

8% 

$1-$390 

4 

Mailers 

8% 

$8-$10 

5 

E-mail  Addresses 

6% 

$2/MB-$4/MB 

6 

Proxies 

6% 

$0.50-$3 

7 

Full  Identity 

6% 

$10-$150 

8 

Scams 

6% 

$  10/week 

9 

Social  Security  Numbers 

3% 

$5-$7 

10 

Compromised  Unix  Shells 

2% 

$2-$10 

Breakdown  of  goods  available  on  underground  economy  servers 
Source:  Symantec  Corporation,  Sep  2007 
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Sources  of  Malicious  Activity 


Overall 

Rank 

Country 

Overall 

Proportion 

Malicious 
Code  Rank 

Spam 

Zombie 

Cmd&Ctrl 
Server  Rank 

Phishing 

Websites 

Bot 

Rank 

1 

USA 

30% 

1 

1 

1 

1 

2 

2 

China 

10% 

2 

3 

5 

18 

1 

3 

Germany 

7% 

7 

2 

2 

2 

3 

4 

UK 

4% 

3 

15 

6 

3 

7 

5 

France 

4% 

9 

7 

12 

6 

5 

6 

Canada 

4% 

6 

31 

3 

7 

8 

7 

Spain 

3% 

10 

10 

22 

13 

4 

8 

Italy 

3% 

5 

6 

8 

12 

6 

9 

S.  Korea 

3% 

26 

8 

4 

10 

13 

10 

Japan 

2% 

4 

20 

13 

8 

16 

Malicious  Activity  by  Country 

Source:  Symantec  Corporation,  Sep  2007 


14-Apr-08 


Fly  -  Fight  -  Win 


6 


Growing  Dependence  on 
Electromagnetic  Spectrum 


§**99995 

e  9  9  9»o9  3333  »  »  s  a  aa  *  s  *  a  aas  *  ■ 


1975  Frequency  Allocation  Chart 
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2007  Frequency  Allocation  Chart 
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Cyber  Espionage 


"Espionage  used  to  be  a  problem  for  the 
FBI,  CIA  and  military,  but  now  it's  a 
problem  for  corporations,"  Brenner  said. 
"It's  no  longer  a  cloak-and-dagger  thing. 
It's  about  computer  architecture  and  the 
soundness  of  electronic  systems." 

Joel  Brenner,  ODNI  Counterintelligence  Office 

As  reported  in  “Espionage  Network  Said  to  Be  Growing” 
Washington  Post,  3  April  2008 
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2007  Air  Force  Cyber  Study 


■  Cyber  will  continue  to  be  a  contested  environment. 

■  The  infrastructure  on  which  the  Air  Force  depends  is 
controlled  by  both  military  and  commercial  entities 
and  is  vulnerable  to  attacks  and  manipulation. 

■  Operations  in  the  cyber  domain  have  the  ability  to 
impact  operations  in  other  war-fighting  domains. 

■  Air  Force  must  maintain  capability  to  operate  when 
the  reception,  processing,  and  distribution  of  vital 
information  is  challenged. 

■  Nation  must  defend  against  data  manipulation  and 
denial  of  service;  it’s  not  just  an  issue  of  data  theft 
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■  Cyberspace  as  an  Operational  Domain 

■  National  Security  Operations  in  the  Cyber  Domain 

■  Cyber  Domain  Defense  and  Protection 


The  Mission  of  the  United  States  Air  Force  is  to  provide 
sovereign  options  for  the  defense  of  the  US  and  its  global 
interests — to  fly  and  fight  in  air,  space,  and  cyberspace. 
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Cyberspace  Domain  Elements 


Produce  or  use  data 

Share  information  &  knowledge  ^ 
Make  &  implement  decisions 


& 


o  °  o 


Logical 
(Virtual)  Network 


(Social) 

O  NetworlO 


User  Relationships 

O. 


% 


Encapsulation 


Modify, 

store, 

exchange 

data 


Infrastructure 


Cyberspace  is  a  domain  with 
characteristics  comparable  to  the 
air,  space,  and  maritime  domains. 
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in  Relationships 


SPACE 


Cyberspace 
crosses  all 
the  domains 


LAND 


Cyber  ops  require  global  and  theater  integration  across  all  domains 

APr  08  Fly  -  Fight  -  Win 


Cyber  Domain  Exploitation 


■  Government  Activities 

■  Military  Operations 

■  Intelligence  Collection 

■  Banking  &  Finance 

■  Police  &  Security 

■  Utility  Management 


■  Admin  &  Logistics 

■  Health  Services 

■  Sales  &  Marketing 

■  Education 

■  Social  Networking 

■  Information  Management 

■  Knowledge  Management 

■  Entertainment 
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Cyber  Ops  Planning  “Terrain”  Map 


United 

States 

and 

friendly 

Cyber 

elements 


■2  | 
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Adversary 
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The  National  Strategy  to  Secure 

Cyberspace  (DHS  lead) 

■  Establish  a  public-private  architecture  for  national  response 

■  Provide  for  the  development  of  tactical  and  strategic  analysis  of 
cyber  attacks  and  vulnerability  assessments 

■  Encourage  the  development  of  a  private  sector  capability  to 
share  a  synoptic  view  of  the  health  of  cyberspace 

■  Expand  the  Cyber  Warning  and  Information  Network  to  support 
DHS  cyberspace  crisis  management 

■  Improve  national  incident  management 

■  Coordinate  voluntary  participation  in  national 
public-private  continuity  and  contingency  plans 

■  Exercise  cyber  security  continuity  plans  for  federal  systems 

■  Improve  and  enhance  public-private  information  sharing 
involving  cyber  attacks,  threats,  and  vulnerabilities 
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AF  Cyber  Support:  Civil  Authorities 


JTF-GNO 


(STRATCOM) 


Air 


National 


Guard 


NORTHCOM 


(1  AF) 


JTF-GNO  Service 
Components 


8AF 


(AFCYBER) 


Research 


Community 


Intelligence 


Community 


Law 


Enforcement 


Homeland 


Security  Spt 


Centers 
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Cyber  Support:  Defense  Industry 


Law 
Enforcement 
(AFOSI) 


T 


Acquisition 
►  Program 
Offices 


Intelligence 

Community 
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National  Military  Strategy 

for  Cyberspace  Ops  (NMS-CO) 


Ways: 

■  Information  Operations 

■  Network  Operations 

■  Kinetic  Actions 

■  Law  Enforcement 

■  Counter-intelligence 


Enablers: 

■  Science  &  Technology 

■  Partnering 

■  Intelligence  Support 

■  Law  and  policy 

■  Trained  personnel 


Joint  Capability  Areas: 

■  Battlespace  Awareness 

■  Force  Generation 

■  Command  and  Control 

■  Information  Operations 

■  Net-centric  Operations 

■  Global  Deterrence 

■  Homeland  Defense 

■  Interagency  Integration 

■  Non-governmental 
organization  coordination 
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Fly  &  Fight  in  Cyberspace 


Establish  the  Domain 

-  Expeditionary  Cyber  Ops 

-  Cyber  Network  Ops 

Control  the  Domain 

-  Defense 

-  Offense 

Use  the  Domain 

-  Integrated  Attack 

-  Force  Enhancement 

-  Support 


Cyberspace  is  a  Varfighting  Domain 

Fly  -  Fight  -  Win 


Control  the  Cyber  Domain 


Wireless 

Networks 


Cyber  Effects: 

•  Denial  of  Service 

•  Confidential  Data  Loss 


Electronics  (&  Infrastructure) 
Force  Protection 


Networks 


•  Data  Manipulation 

•  System  Integrity  Loss  (includes 


Logical 

Networks 
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Mission 

Assurance 


6® 


'O  °  O 


& 


(Social) 

O  NetworkO 


User  Relationships 


'O  °  o 

Physical 


Logical 

(Virtual)  Network 


Encapsulation 


Information 

Assurance 


QNetworkQ 


Infrastructure  Protection 
Electronic  Protection 
Supply  Chain  Controls 


Cyber  Deterrence 


(Identify  Actions  &  Behaviors  to  Deter) 
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Challenges  and  Opportunities 


Challenges 

■  Increased  cyber  dependence 

■  Supply  chain  vulnerabilities 

■  Infrastructure  vulnerabilities 

■  Electronics  vulnerabilities 

■  Sensor  disruption  &  spoofing 

■  Increased  wireless  use 

■  More  complex  attack  vectors 

■  Growth  in  cyber  crime 

■  Encryption  vulnerabilities 


Opportunities 

■  Mission  Assurance 

■  Attack  Attribution 

■  Malware  behavior  detection 

■  Altered  data/code  detection 

■  Denial  of  service  protection 

■  Cyber  deterrence  strategies 

■  Insider  “threat”  detection 

■  Wireless  privacy  systems 

■  Intrusion  detection/intrusion 
prevention  (IDS/IPS)  systems 
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2008  AFSAB  Cyber  Study  Charter 


■  Assess  and  characterize  cyber  protection  systems  used  by  the 
U.S.  defense  industrial  base  and  their  potential  impacts  to  Air 
Force  operations. 

■  Assess  and  characterize  current  Air  Force  operational  readiness 
levels  for  rapid  detection,  assessment  and  response,  including 
the  ability  to  “fight  through”  a  cyber  attack  and  to  quickly  re¬ 
organize  networks. 

■  Identify  high  leverage  technology  options  for  generating  and 
maintaining  operational  readiness,  including  training,  in  a  variety 
of  scenarios. 

■  Explore  the  impacts  of  a  layered  defense  and  examine  potential 
new  constructs  for  creating  and  implementing  new  network  and 
system  architectures,  for  example,  a  “demilitarized  zone  (DMZ)” 
between  the  Department  of  Defense  and  external  customers. 

■  Evaluate  the  effectiveness  of  such  technology  options  and 
recommend  near-term  and  mid-term  options  for  implementation. 
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Summary:  Cyber  Domain  Protection 


■  Cyber  is  a  domain  ...  not  just  computer  networks 

-  Co-exists  with  air,  space,  land,  and  sea  domains 

■  Cyber  critical  to  military  operations  and  commerce 

-  Foundation  of  the  world’s  global  economy 

■  Cyber  domain  elements  are  under  attack  today 

-  Military  vulnerable  to  direct  and  indirect  attacks 

■  Global  cyber  dominance  requires  new  competencies 

-  Cyber  Weapon  Systems  and  Cyber  operators 

-  Partnerships  (academia,  industry,  government) 

■  Opportunity  to  deter  cyber  attacks  of  mass  effects 

-  Enabled  by  attack  attribution  &  mission  assurance 

Fly  -  Fight  -  Win 
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^3  Pamir 


2008  DIB  CIP  CONFERENCE 

MIAMI,  FL 
April  9,  2008 

INTELLIGENCE  AND  THREAT 

WARNING 


Pamir  Resources  &  Consulting,  Inc. 


“THE  THREAT  IS  CORPORATE 
AMERICA” 


IT  IS  ASYMMETRIC  WARFARE 


Pamir  Resources  &  Consulting,  Inc. 


Annual  Report  to  Congress:  Foreign  Economic  Collection 

and  Industrial  Espionage 


•  “Entities  from  108  countries  were  involved  in 
collection  efforts  against  sensitive  and  protected  US 
technologies  in  FY  2005” 

o  Office  of  the  National  Counterintelligence  Executive 


Pamir  Resources  &  Consulting,  Inc. 


According  to  the  FBI 


Foreign  entities  most  responsible  for  Economic 
Espionage  investigations  within  the  US: 


•  l.  China 

•  2.  India 

•  3.  France 

•  4.  Russia 

•  5.  Israel 


Pamir  Resources  &  Consulting,  Inc. 


•  • 


The  FBI’s  Top  Five 


•  These  countries  are  allowed  to  utilize  their 
intelligence  services  to  support  commercial  gain 
within  their  own  country. 


•  All  in  the  name  of  national  security  and  economic 
gain. 
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SOLUTIONS 


•  “American  organizations  must  begin  policing  their 
operations  more  aggressively  today  to  prevent 
valuable  data  from  being  stolen” 

o  Info  World  Magazine  9/14/07 
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FBI’s  DOMAIN  PROGRAM 


•  Tasked  to  protect  US  companies  sensitive 


information  and  technologies 

•  Corporate  America  is  part  of  US  national  security 

•  Partner  FBI  with  corporate  America  to  identify  what 
is  at  risk 

•  Develop  plan  to  protect  it 

•  Build  relationships 
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FBI’S  DOMAIN  PROGRAM 


•  Business  Alliance 

•  Academic  Alliance 

•  Protect  technology  while  in  the  R&D  stages 
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GLOBAL  INNOVATION  DATASET 


•  Technology  monitoring  developed  by  Pamir  and  its 
partner 

•  Identified  US  technologies  that  were  proliferated  by 
foreign  entities 

•  Looks  at  patent  information  within  120  countries 

•  Prevention  tool  against  Insider  Threat  as  well 
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PREVENTION  PROGRAM 


•  From  pre-employment  to  post-employment 

•  Proper  prevention  can  diminish  loss  of  technology, 


number  of  investigations 

•  Cannot  just  react,  need  to  prevent 

•  (Request  of  Do  J) 
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DUE  DILIGENCE 


The  importance  of  conducting  proper  Due 
Diligence  (DD)  in  an  emerging  overseas 
market  prior  to  conducting  business  overseas 
cannot  be  overstated 

•  The  need  to  conduct  DD  as  you  continue  to  conduct 
business  in  foreign  markets 
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DUE  DILIGENCE 


•  A  Due  Diligence  (DD)  in  an  emerging  market  should 


include: 

o  Company  profile 
o  Annual  inspection 
o  Any  modification  on  Registration 
o  Ownership 
o  Shareholders 
o  Executives 
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DUE  DILIGENCE 


•  Investment/ Affiliated  enterprises 

•  Banking  information 

•  Loan  information 

•  Balance  sheet 

•  Financial  analysis 

•  Main  operation  and  products 

•  Suppliers/customers 
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DUE  DILIGENCE 


•  Criminal  record  (national  police  checks  not  possible 
in  India) 

•  Intelligence  or  military  affiliation 

•  Political  or  Party  affiliation 

•  China  specific:  a  China  context  analysis  of  what  it  all 
means 

•  CAUTION:  Be  careful  to  what  DD  vendors  claim 
regarding  the  extent  of  their  capabilities 
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Cl  AWARENESS  PROGRAM 


•  Need  to  establish  a  counterintelligence  awareness 


program  that  reaches  all  employees 

•  Need  force  multipliers  (eyes/ears) 

•  Need  sources 

•  Need  to  instill  in  employees  that  Cl  awareness  is 
everyone’s  responsibility 

•  How  to  report  and  to  whom 

•  Cyber  responsibility 
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INVESTIGATIONS 


•  When  prevention  and  monitoring  are  not  enough  of 


a  deterrent 

•  Prosecution  becomes  a  priority  because  of  what  is  at 
stake 

•  CHI  Mak  case 

•  DOJ  Task  Forces 

•  Force  multipliers 

•  Build  relationships 
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Bad  Guys 
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Bad  Guy  Motivation 
Gain  Military  Advantage  by. . 


Knowing  what 
we’re  going  to  do 

or  what  we’re  likely 
to  do  _ 


Slowing 

our 

decision 

cycle 


Making  our 
weapons  work  in 
unexpected  ways 


Causing  us  to  lose  faith  in 

each  other 


Fuzzing  up  our  view  of 

reality 

-  By  changing  information 

-By  participating  directly  in 
our  decisions  (by 
masquerading  as  us) 


Sophisticated  Adversaries 
aka  Really  Capable  Bad  Guys 


•  Have  a  military  or  intelligence  mission  in  mind 

•  Will  plan  and  select  the  plan  with  the  best 
combination  of  effectiveness,  (low)  risk  to  the 
adversary,  and  cost 

•  Are  very  patient,  analytical,  methodical,  and 
quiet 

•  Have  advanced  resources  and  tradecraft 

•  Can  select  the  attack  method,  the  target,  the 
time,  and  the  place 


What’s  Our  Business? 


...Twin  Goals  for 
Cyber  Security/I nformation  Assurance 


1.  Ensuring  that  our  customers 
can  depend  on  information 
and  on  the  information 
infrastructure  in  the  face  of 
physical  and  cyber  attack 

(Mission  Assurance,  or,  we’re  all 
really  dependability  experts) 


2.  Ensuring  that  our  customers 
can  keep  a  secret  (when  they 
want  to) 

...  and  doing  both  while 
sharing  as  broadly  as  possible 


Keeping  a  Secret 
(While  Sharing  Broadly) 

Secret  Not  so  Secret  Public 

1 

1  10  100  •  •  •  109 
Number  of  People  With  Access 
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My  Customers 


Anyone  in  DoD,  and  anyone  involved  in  a 

mission  important  to  DoD 

- \ 

We  often  don’t  know  in  advance  with 
whom  DoD  will  be  working 
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My  Oversimplification  of  How 
DoD  Is  Pursuing  These  IA 

(and  sharing)  Goals 
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Part  1 


Limit  exposure  of  vulnerabilities  by 

—  Removing  as  many  of  these  vulnerabilities  as 
possible  (e.g.  encrypt  when  appropriate,  configure 
things  securely,  remove  unnecessary  functions, 
eliminate  passwords) 

—  Layering  protections  that  incrementally  limit 
the  population  with  access  to  a  given  vulnerability 
(defense-in-depth) 

—  Designing  what  DoD  looks  like  to  partners,  to 
the  public,  to  adversaries 
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Part  2 


Drive-out  anonymity  (and  enable  net-centricity 
and  improve  sharing)  by  broad  use  of  non- 
spoofable  cyber  identity  credentials  (aka  PKI ) 

-  Minimize  whole  classes  of  worries;  brings 
accountability,  worries  some  classes  of  bad  guys 

Build  and  operate  an  attack  detection  and 
diagnosis  capability  that  allows  rapid,  sure, 

militarily  useful  reaction  to  cyber  attacks 

Improve  joint,  coalition,  interagency,  & 
industry  partner  cyber  operations/ 

NETOPS  so  the  above  is  possible 
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The  Basics:  Secure  Configuration 


(Or... configuring  everything  securely, 

keeping  everything  configured 
securely,  and  ensuring  the  right  people 

know  this  is  so,  or  not  so) 
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1 .  Define:  Configuration  guides  with  NSA, 
NIST,  industry,  military  services,  DISA 

2.  Buy  it  pre-configured 


3.  Configure  it  (Automate) 

4.  Measure  it  (Automate) 

5.  Change  it  (Automate) 

6.  Report  it  (Automate) 


r 


n 


V 


Big  win: 

(NSA/NIST/AF/DHS/DISA/Microsoft/OMB): 

Federal  Desktop  Core  Configuration 


-V 


Security  Content  Automation  Protocol 

SCAP 


•  Name  for  family  of  cyber  security  data  standards 

-  Configuration  description 

-  Configuration  measurement 

-  Vulnerability 

-  Etc. 

•  NIST  in  the  lead  in  defining;  many  are  used  now 

•  Goals  is  to  improve  sharing  and  improve 
automation 

-  Ex.  “STIG”  content  can  be  machine  readable  and 
consumed  by  any  compliant  tool 

-  DoD  can  purchase  automation  tools  from  any  vendor  that 
complies 
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Information  Sharing  in  the  Federal 

Government 


Or,  What  System-High  Wrought 


17 


JWICS 


SIPRNET 


NIPRNET 


Internet 


Sharing  With  Allies 
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Unclassified 


Unclassified 
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Q.  Does  all  of  this  stuff  really  require  system-high 
separation? 

A.  (My  theory,  although  many  others  have  concluded 
the  same  thing.) 

Nope.  Some  of  these  networks  can  be  treated  as 
separate  communities  within  a  single  network 
infrastructure 

The  CCER.  The  JCS  &  COCOMs  &  Nil  have  asked 
DISA  &  NSA,  to  develop  and  deploy  a  method  of 
consolidating  several  of  the  large  CENTRIXS 

-  CENTRIXS  cross  enclave  requirement  (or  CCER) 
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Sharing  in  the  Interagency 
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JWICS 


<3E5 
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o  o 


A  Typical  Netcentric  Mission  Thread 


(or,  sharing  in  spite  of  system  high) 
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NIPRNET 


Internet 


ATO 


CENTRIXS2 


How  Exactly  Does  That  Sharing  Work? 
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Sharing  Part  1 :  That’s  What  We  Do 
With  All  That  Cross  Domain  Stuff 


Internet 


The  Unified  Cross  Domain 
Management  Office 


•  Intelligence  Community  and  DoD  effort  to  manage 
cross  domain  efforts 

-  Approve  standard  products 

-  Help  customers  find  existing  or  modifiable  technologies 
before  developing  more 

-  Oversee  the  provision  of  cross-domain  as  a  network 
service 

-  Monitor  technology  development 

-  Improve  MLS  certification  and  accreditation  process 

•  As  part  of  overall  IC/DoD  C&A  re-engineering 
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Sharing  Part  2:  Better  DMZs 


Internet 


DoD  DMZs 


User 

Workstations 


Firewalls  With 
Tight,  Customized 
Configurations 


CEnterprise  Backbones 


Publicly  Visible 
Servers 
in  DMZ 

DOOOQ 
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Sometimes  There  Is  A  Separate  DMZ  For  Close 

Partners 
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The  Extranet  DMZs  May  Be  Attached  to  a  Private 

Network,  or  Extranet 


Corporation  1 


Extranet 
DMZ 


Corporation  2 


Extranet 
DMZ 


Extranet 

DMZ 


V^orporation  3  J 


Unclassified 


Unclassified  Sharing  in  the  Interagency? 


One  Result  of  the  Trusted  Internet  Connection 

Initiative? 
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Unclassified  34 


Other  TIC  Thoughts  Based  on  DoD 

Lessons 


•  DoD  has  evolved  various  connection  approval, 
compliance  assessment,  enforcement,  and  exception 
processes 

-  These  will  likely  need  to  be  replicated  in  the  inter-agency 

-  Compliance  enforcement  must  have  teeth 

•  Partners  ALWAYS  have  internet  connections  so 
connect  to  them  via  partner/extranet  DMZs  and 
monitor  these  as  you  would  an  internet  connection 

•  Clear  lines  of  authority  for  management  of  the 
connections  is  essential 

•  Sharing  the  attack  detection  and  diagnosis  data  from 

the  connection  points  is  essential  3 


A  Little  Bit  About  Driving  Out 

Anonymity: 

PKI  and  Cyber  Identity  Credentials 

(DoD  PKI  and  Other  PKIs) 
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Unclassified 


First,  a  bit  about  Bad  Guys  and 

Directories 

(and  why  we  have  Public  Key 

Infrastructures) 


Unclassified 


Publishing  Public  Keys:  the  old  days 
...One  public  key  looks  pretty  much 


like  any  other 

The  Directory 


Bill  Smith 

A  Public  Key 

John  Smith 

A  Public  Key 

Sam  Smith 

A  Public  Key 
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Publishing  Public  Keys:  Now 


Increased  assurance  that  Bill's 
public  key  is  really  his,  and  not 

John’s  or  Sam’s 
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An  Important  Detail... 


•  Bill  still  needs  to  protect  the  other  piece  of  the 
credential... the  private  key 
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The  DoD  PKI 


•  Primarily  identity  credentials  for  people  (for  now) 

•  Issuance  tied  to  the  pool  of  people  identity  in 
DoD. ..DEERS 

•  Single  trust  root,  although  credentials  issued  by 
many  subordinate  certificate  authorities 

•  Asserts  very  little  other  than  the  tie  between  a 
name  and  a  public  key 

-  Must  find  those  other  tidbits  about  Richard  Hale  from 
other  sources 

•  Private  keys  (mostly)  stored  on  the  Common 
Access  Card,  or  CAC 

•  Credential  quality  depends  on  many,  many  things... 
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Credential  Quality 


DoD  PKI  Credential  Quality 

(How  Much  Can  I  Trust  This  Credential  I’ve  Been 

Presented?) 


Use  of  DEERS 


Identity  system 


Use  of  Hardware 
Crypto  in  CAs 


Use  of  hardware  token 
(CAC)  for  the  private  key 


Time 
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Lots  of  Assurance  Increases  in  the 
Works  for  DoD  &  Other  PKIs 


•  Improved  cryptography  (elliptic  curve) 

•  Stronger  protection  of  private  keys,  alternate  tokens 

•  Better  identity  vetting  of  individuals  before  issuing  a 
credential 

•  Stronger  protocols  between  the  certificate  authority 
and  the  place  the  keys  are  generated 

•  More  auditing 

•  Etc.,  etc.,  etc. 
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Sharing  &  Application  Agility: 
The  Service  Oriented  Architecture 

(We’ll  come  back  to  my  cyber  identity  credential, 

and  some  of  its  uses) 
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The  Simple  View  of  the  SOA 


Service  Interface 


Service 

Service 

Provider 

Consumer 

i 

The  WAN 
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What’s  Behind  the  Service  Interface? 


Hosting  Center 


Dependable  SOA  Poses  a  Question 


•  Each  service  consumer  relies  on  some  sort  of 
statement  by  the  service  provider  on  the  service 
being  consumed 

•  Provider  asserts  things  like 

-  Reliability  of  the  service  (in  the  face  of  equipment  failure, 
circuit  failure,  natural  disaster,  cyber  attack,  whatever) 

-  Accuracy  of  information 

-  Performance,  etc. 

r  \ 

How  does  the  consumer  know  whether 

to  believe  the  claims? 

V _  _ J 
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Answers? 


•  Traditionally,  a  contract  between  supplier  and 
consumer  defines  the  terms  of  service 

•  In  DoD  and  the  1C,  this  isn’t  exactly  how  we  work 

•  But,  we  could  invent  a  scheme  of  point-to-point 
MOAs.  But,  this  doesn’t  scale,  even  if  we  could 
figure  out  enforcement 

•  But,  important  missions,  people’s  lives,  and  all  sorts 
of  things  may  depend  on  the  service 

So,  I  think  a  third  party  must  verify  the  service 
providers’  claim,  then  publish  the  findings 
-  (a  Certifier,  a  Tester?) 
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Unclassified 


Who  Spot  Checks  These  Claims? 


•  To  ensure  the  service  provider  is  continuing  to 
satisfy  the  claims  on  which  our  consumer  is 
depending 

•  Certifier? 

•  Tester? 

•  Blue  Team?  (Acting  on  behalf  of  both  the  consumer 
and  the  provider?) 
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Unclassified 


Isn’t  This  a  Lot  of  Trouble  Over 
Something  That’s  Not  That  Hard? 


Unclassified 


Composition  of  Services  into  an 

Application 


Our  service  is  a  participant  in  a  composed 
application  serving  a  soldier  in  the  field 
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Many  Service  Providers 


“Dependability  in  the  Face  of  Cyber  Attack” 
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Back  to  Sharing  While  Keeping  a 

Secret 
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If  We  Have  Thousands  of  Services,  Can  an 
Access-Control-List  Access  Model  Work? 

Enter ...  Attribute-Based  Access  Control 

•  Important  in  the  SOA  going  forward 

-  Scale 

-  Policy  flexibility  ( share  information  with 
unanticipated  person  without  having  to  give  the 
person  an  account) 
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Before : 

Allowing  me  to  access  information, 
Allowing  me  to  act  in  a  certain  role, 
Doing  business  with  me,  etc. 


step  i.  Determine  that  it's  really  me 


step  2.  Then,  learn  things  about  the  real  me 

before  deciding  to  take  a  risk  on  me 
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Step  1 :  I  present  my  PKI  credential  and 
use  my  private  key  to  authenticate. 

Then,  all  that  stuff  about  me  comes  into 

play 
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Who  Knows,  Who  Tells  the  Things 

About  Me? 


I  Do 

But  if  you  don’t  know  me,  will 
you  trust  what  I  say? 


Others  Do 

You  might  trust  some  of  what  others 
say  about  me  (attributes  about  me) 
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Attribute-Based  Access  Control 


Service 

Consumer 


Man 

or  Machine 


Request 
(with  PKI 
authentication) 


Policy 
Enforcement 
Point 


Data 

\ 

I 


Policy 

Decision  Service 


Service 

Provider 


Attributes 


Attribute 

Store 
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Are  Those  Attributes  Worthy  of  The 
Service  Provider’s  Trust? 
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Attributes  and  the  Directory  Problem 


Tight  tie  between  me  and  my  public  key  provided  by 
my  PKI  cert  (and  by  careful  design  of  the  issuance 
process) 

Where’s  the  tight  tie  between  me  (my  name  or 
some  other  unique  identifier)  and  an  attribute 
about  me? 

Who  is  authoritative  for  particular  information 
about  me? 

f  ;  \ 

How  does  a  relying  party  know  that  my 
credit  score,  my  clearance,  my  role,  my 
grades,  are  really  mine? 


Incident  &  Attack 
Detection,  Diagnosis,  and  Reaction 
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The  Computer  Network  Defense 

Process 

Detect  the  incident  or  attack  or  problem 
(hopefully  before  it’s  launched) 

Diagnose  what’s  going  on 

Develop  militarily  useful  courses  of  action 
Pick  one 


Execute  it 
Then  follow  up 
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Realistic  NETOPS  Tactics, 
Techniques,  Strategies 


•  This  may  (at  any  time)  be  a  war  fight 

•  Development  of  effective  NETOPS  war  fighting 
tactics,  etc.  must  be  done  by  considering  realistic 
adversaries 

•  Then  we  must  practice  these  (and  practice, 
practice,  practice  these) 

•  Practice  at  all  levels  of  organizations,  from 
individuals  to  small  groups  to  ops  centers  to 
multiple  ops  centers... 

-  You  get  the  idea 
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This  Also  Requires  Broad  Sharing 


•  Sharing  of  raw  sensor  data,  partial  incident  data, 
and  more  fully  analyzed  incidents  is  also  critical 

-  If  we’re  to  do  this  fast,  and  broadly  across  government 
and  industry 

-  So,  IMHO  we’ve  got  to  set  standards  for  protecting 
this  stuff  so  we’re  all  willing  to  share... 
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DoD  Sets  Standards  and  Accredits 
Computer  Network  Defense  Service 

Providers 

•  The  Interagency,  industry,  others  will  likely 
have  to  do  this  too 
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To  Summarize. 


1 .  Dependability  in  the  Face  of  Cyber 

Attack 


2.  Keeping  a  Secret 

Both  While  Simultaneously  Sharing 

Information  Broadly 
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www.disa.mil 


iase.disa.mil 


68 


DEFENSE  INDUSTRIAL 
BASE,  SECTOR 
COORDINATING 
COUNCIL 


DEFENSE  INDUSTRIAL  BASE 
SECTOR  COORDINATING  COUNCIL 

Improving  the  Sharing  and  Reliability  of 
Public  and  Private  Threat  and  Hazard 

Information 


April  9,  2008 


DEFENSE  INDUSTRIAL 
BASE,  SECTOR 
COORDINATING 
COUNCIL 


Panel  Objectives/Takeaways 

-  Objectives 

•  Exchange  information 

•  Discuss  gaps  and  opportunities  for  better  provision/utilization 
of  global  threat  and  natural  disaster  intelligence 

•  Explore  case  studies,  best  practices,  and  successful  strategies 
for  combating  and  understanding  the  insider  threat 

•  Identify  opportunities  for  public/private  intelligence  sharing 
partnerships 

-  Takeaways 

•  Information  sharing,  integration  mechanisms,  and  how  they  enhance 
rapid  response 


DEFENSE  INDUSTRIAL 
BASE,  SECTOR 
COORDINATING 
COUNCIL 


NIPP  Implementation  Actions 

“The  effective  implementation  of  the  NIPP  is  predicated  on  active 
participation  by  government  and  private  sector  security  partners  in 
robust  multi-directional  information  sharing.  When  owners  and 
operators  are  provided  with  a  comprehensive  picture  of  threats  or 
hazards  to  CI/KR  and  participate  in  ongoing  multi-directional 
information  flow,  their  ability  to  assess  risks,  make  prudent  security 
investments,  and  take  protective  actions  is  substantially 
enhanced.  ” 


NIPP  implementation  will  rely  greatly  on  critical  infrastructure 
information  provided  by  the  private  sector.  Much  of  this  is  sensitive 
business  or  security  information  that  could  cause  serious  damage 
to  companies,  the  economy,  and  public  safety  or  security  through 
unauthorized  disclosure  or  access  to  this  information 


DEFENSE  INDUSTRIAL 
BASE,  SECTOR 
COORDINATING 
COUNCIL 

Improving  Information  Sharing 

•  Numerous  models  of  mechanisms  that  work  ... 

-  Google  “Info  Sharing”  20,400,000  hits 

-  Google  “Trust  Models”  2,730,000  hits 

•  Implies  “no  ideal” 

-  Contemporaneous  venues  with  similar  objectives  are  okay 

-  Helps  bridge  blockers 

-  Cues  parties  to  desired  common  solution 

-  Enriches  information  streams 

-  Builds  relationship  opportunities 

•  Dialogue  between  DIB  and  DoD 

•  Gaps 

-  Includes  policy,  classification,  communication  system  issues 

-  Issues  enhance  or  impede  key  “lubricants” 

•  Trust,  confidence,  shared  equity 


DEFENSE  INDUSTRIAL 
BASE,  SECTOR 
COORDINATING 
COUNCIL 


Business  Structure 

•  DIB  companies  have  grown  to  large  entities  through 
the  acquisition  process 

•  Many  unknowns  come  into  play 

-  Policy  differences 

-  Cultures 

-  Vetting  procedures 

-  Foreign  connections 

-  Organizational  control 


DEFENSE  INDUSTRIAL 
BASE,  SECTOR 
COORDINATING 
COUNCIL 


Cl  Strategy  for  Business 

•  Companies  must  realize  they  have  a  real  threat 
present 


•  Senior  Management  must  support  the  Cl  effort  or  it 
will  not  work 


•  Awareness  of  the  workforce  is  key  to  success 

•  Have  a  Cl  program  in  place  with  trained  personnel  to 
manage  it 


DEFENSE  INDUSTRIAL 
BASE,  SECTOR 
COORDINATING 
COUNCIL 


Government  Interface  with  the  DIB 


•  Not  all  companies  are  managed  the  same  in 
regards  to  security 

-  Legal  Department 

-  Human  Resources  Department 

-  Operational  Management 

•  Be  aware  all  have  their  own  equities  to  protect 


DEFENSE  INDUSTRIAL 
BASE,  SECTOR 
COORDINATING 
COUNCIL 


Government  Interface 


•  Important  to  establish  key  relationships  early 

•  Ensure  “hand-offs”  are  handled  appropriately 

•  Attempt  to  limit  the  amount  of  agents  dealing  with 
a  particular  firm,  i.e.,  cyber,  humint,  etc. 

•  If  possible,  manage  interface  through  the  senior 
security  official 

•  Offer  various  support  assistance  to  firm 


DEFENSE  INDUSTRIAL 
BASE,  SECTOR 
COORDINATING 
COUNCIL 


Issues  remaining 


•  Lack  of  collection  capabilities 

•  Lack  of  efficient  means  of  secure  data  access  and 
dissemination 


•  Training,  investigative  resources 

•  Duplications  of  efforts  (multi-agency  overlap) 


DEFENSE  INDUSTRIAL 
BASE,  SECTOR 
COORDINATING 
COUNCIL 


Cyber  Issue 


•  #1  issue  facing  industry 


•  Lack  of  convergence  between  security  and  IT 
functions  exist  in  some  companies 


•  Being  treated  as  an  “Information  Assurance”  issue, 
not  as  an  “Intelligence”  issue 


•  No  real  solutions  being  developed  to  halt  threat  as 
long  as  firms  continue  to  operate  and  store  data 
connected  to  the  internet 


SUPPLY  CHAIN  PREPAREDNESS 
AND  RESPONSE  MANAGEMENT 


Defense  Industrial  Base  -  Critical  Infrastructure 

Protection  Conference 

8  April  2008 


John  F.  Rank 
Vice  President,  Supply  Chain  Management 
General  Dynamics  Land  Systems,  and 
Chair,  General  Dynamics 
Supply  Chain  Management  Council 
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DIB  CIP  CONFERENCE 


A  CAUSE  FOR  ACTION... 


•  U.S.  Government  Mantra  &  Policy 

•  An  Industrial  Base  Perspective 

•  What  Can  and  Should  Supply  Chain 
Management  be  Doing? 
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DIB  CIP  CONFERENCE 

A  CAUSE  FOR  ACTION 


•  Homeland  Security  Presidential  Directive  7 

71  Policy 

■  Enhance  protection  of  critical  infrastructure 

and  all  key  resources  to  assure  no  negative  affect 
or  cascading  disruption 

■  Protect  transportation  systems 

■  Secure  IT  systems  (Cyberspace) 

■  Department  of  Defense  (DoD)  designated  to 
cover  Defense  Industrial  Base  Infrastructure 
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DIB  CIP  CONFERENCE 

A  CAUSE  FOR  ACTION 


71  Coordination  with  Private  Sector 

■  Collaborate  and  Support  Private  Sector 

Coordinating  Mechanisms 

■  Prioritize  the  Protection  of  Critical 
Infrastructure  and  Key  Resources 

■  Facilitate  Information  Sharing 


U.S.  Government  Agencies  and  Industrial  Base 
are  Partnering  on  Preparedness  and  Response 
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DIB  CIP  CONFERENCE 

A  CAUSE  FOR  ACTION 


•  Homeland  Security  Presidential  Directive  -  8 

71  “This  directive  establishes  policies  to  strengthen 
the  preparedness  of  the  United  States  to  prevent 
and  respond  to  threatened  or  actual  domestic 
terrorist  attacks,  major  disasters,  and  other 
emergencies...” 
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DIB  C/P  CONFERENCE 

A  CAUSE  FOR  ACTION 


•  Defense  Industrial  Base  (DIB) 

Sector-Specific  Plan  (SSP) 

71  Guidance  Developed  by  Collaboration  of  Industry  and 
U.S.  Government  Security  Partners 

71  Plan  covers: 

-  Goals 

-  Identification  of  Assets 

-  Assessment  of  Risk  and  Risk  Management 

-  Asset  Prioritization  Model  (APM)  which  includes  (16)  factors 
classified  into:  (5)  Mission,  (5)  Threat,  (4)  Economic,  and  (2) 
“Other” 

-  Development  of  Protective  Systems 

-  Measurements  on  Progress/Goals 

-  Research  and  Development 

-  Management  and  coordination  of  the  Sector  Specific  Agency 
(SSA) 
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DIB  CIP  CONFERENCE 


A  CAUSE  FOR  ACTION 


We  Cannot  be  Complacent 

•  Al-Qaeda  has  a  20  Year  Plan 

71  Total  Confrontation  by  2016 
7i  Definitive  Victory  by  2020 

■  Will  focus  on  “Critical”  Infrastructure 

•  Goal  Should  be  to  Make  the  U.S.  Industrial 
Base  Strive  to  Make  Nothing  Critical 


•  A  “Sense  of  Urgency  When  There  is  no 
Emergency” 
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DIB  CIP  CONFERENCE 


An  Industrial  Base  Perspective 


General  Dynamics  and  it’s 
Supply  Chain  Challenges 
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D/B  C/P  CONFERENCE 

Industrial  Base  Perspective 


General  Dynamics  Corporation 

Corporate  Overview 
Business  Segments 
Combat  Systems 

Land  Systems 
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DIB  CIP  CONFERENCE 


General  Dynamics  Corporation 


Charlie  Hall 
Executive  VP 
Combat  Systems 


Combat 

Systems 


GENERAL  DYNAMICS 

Land  Systems 


Nick  Chabraja 
Chairman  &  CEO 


aja 

DEO 


•  Revenues:  $27  Billion 

•  Employees:  82,500 


■ 

Jerry  DeMuro 
Executive  VP 
IS  &  T _ I 


Mike  Toner 
Executive  VP 
Marine 


Information  Marine 

Systems  &  Technology 


Approved  for  Public  Release,  Distribution  Unlimited,  GDLS 
approved,  log  2008-13,  dated  4/4/08 


Joe  Lombardo 
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Aerospace 


Gulf  stream 
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DIB  CIP  CONFERENCE 


Combat  Systems 


I  Armament  and  Ordnance  and 

Technical  Products  Tactical  Systems 


MOWAG 


GENERAL  DYNAMICS 

Land  Systems 


Steyr 

European  Land  Systems 
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Santa  Barbara  Sistemas 
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GD  Land  Systems  (GDLS) 

Full  Spectrum  Product  Offerin 


Warrior 


GDLS Lead 


Robotics 


JLTV 


LAV  /  Stryker 


MRAP 


Abrams  MBT 


Cougar 


GENERAL  DYNAMICS 

Land  Systems 


Approved  for  Public  Release,  Distribution  Unlimited,  GDLS 
approved,  log  2008-13,  dated  4/4/08 


SCM 

Supply  Chain  Management 


12 


14  April  2008 


DIB  CIP  CONFERENCE 


CY2007  Overview 


•  Combat  Vehicles 
and  Subsystems 


Multiple  Products  & 
Multiple  Customers 


•  Global  Business 
Base 

•  9,100  Employees 

•  ISO  “9001-2000” 
Registered 

•  SEI  Level  V 
Certified 


Expeditionary 

Fighting 

Vehicle 

3%  \ 


Future 

Combat 

Systems 

9% 


Robotics 
3% 


Abrams 

Tanks 

27% 


Mine 
Protected 
Vehicles 
9% 


Light 

Armored 

Vehicle 

12% 


Stryker  8x8 
33% 
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DIB  CIP  CONFERENCE 


U.S.  Locations 


Ft.  Lewis 

Schofield  Barracks 

,4  / 


V** 


S' 

Pohakuloa 
Training  Area 


Ft.  Wainwright 
Ft.  Richardson 


Muskegon 
Technical 
Center 


Multiple  Locations 


GDLS 

Central  Office  - 
GDLS  Logistics  & 
Engineering  Center 


Camp  Pendleton 


Joint  Systems 


Ft.  Hood  Manufacturing  Anniston 
Center  Army  Depot 


GDLS  Future 
Combat  Systems 


Shelby 
Operations 

Scranton 
Operations 

Robotic 
Systems 

Woodbridge 
Amphibious  Tech 
Systems 

Tallahassee 
Operations 
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DIB  CIP  CONFERENCE 

International  Locations 


Edmonton,  Alberta 


GDLS  -  Canada 
London,  Ontario 


GDLS  -  Australia 
Adelaide,  Australia 


GENERAL  DYNAMICS 

Land  Systems 


Approved  for  Public  Release,  Distribution  Unlimited,  GDLS 
approved,  log  2008-13,  dated  4/4/08 


SCM 

Supply  Chain  Management 


15 


14  April  2008 


DIB  CIP  CONFERENCE 

Supplier  Base 


Land  Systems  -  Supply  Chain  Exposure 


•  >  60%  of  Sales  Revenue  is  Through  Purchased 
Products  &  Services 

•  Over  3600  Suppliers 

•  180  Critical  Suppliers 

•  250  Offshore  Suppliers 

•  2007  Spend  was  $2.2B 


GENERAL  DYNAMICS 

Land  Systems 


Approved  for  Public  Release,  Distribution  Unlimited,  GDLS 
approved,  log  2008-13,  dated  4/4/08 


SCM 

Supply  Chain  Management 


16 


14  April  2008 


DIB  CIP  CONFERENCE 


Industrial  Base 


•  Critical  Subsystems  &  Commodities 

71  Mills  for  Raw  Material 
71  Heavy  Fabrications 

71  Mission  Equipment;  Fire  Control,  Electro-Optical 

7i  CLS  Support  Structure;  Repair  and  Overhaul, 
Spares 

7i  Survivability  and  Armament 
7i  Subsystem  Assemblies 


U.S.  DEFENSE  PRODUCTS  CONTAIN  MANY  SUBSYSTEMS 
WHICH  ARE  CUSTOM  DESIGNED  AND  UNIQUE 
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GDLS  Partnerships  on  Major 
U,S.  Platforms 


PROGRAM  MULTIPLE  INDUSTRY  PARTNERS 


Future  Combat  Systems  BAE 
(FCS) 

Abrams  and  Bradley  BAE 
Modernization 

Mine  Resistant  Ambush  Force  Protection  (Force  Dynamics) 
Protected  (MRAP) 


Joint  Light  Tactical  AM  General  (General  Tactical 

Vehicle  (JLTV) 


SHARED  PROCUREMENT  RESPONSIBILITIES 
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DIB  CIP  CONFERENCE 


Threats  to  the  Infrastructure 


THREATS  TO  THE  DEFENSE 
SUPPLY  CHAIN  INFRASTRUCTURE 


A  BROAD  PERSPECTIVE 
WHAT  CAN  AND  SHOULD  WE  BE  DOING? 
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DIB  CIB  CONFERENCE 


Theme  for  Supply  Chain  Management 
Portion  of  the  Conference: 

“Threats  to  the  supply  chain,  programs  and 
action  to  mitigate  security  and  continuity 
challenges,  and  approaches  to  foster  supply 
chain  response.” 
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SUPPLY  CHAIN  INFRASTRUCTURE 


Affect  on  Business  if  Disruption  or 
Security  Breach 

•  Loss  of  Customer  Confidence 

71  Company  Image 

•  More  U.S.  Government  Oversight 

•  Loss  of  Revenue 

•  Legal  Issues 
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SUPPLY  CHAIN  INFRASTRUCTURE 


What  are  the  threats: 

•  Terrorists  /  Activists 

71  Acts 

71  Ownership  of  Suppliers 

•  Acts  of  War 

•  Disasters 

71  Tornados,  hurricanes,  floods,  wild  fires, 
earthquakes 

7i  Industrial  Fires 

7i  Blackouts 

7i  Environmental 
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SUPPLY  CHAIN  INFRASTRUCTURE 


•  IT/Cyberspace/Telecommunications 

71  Disruptions 
71  Infiltration 

•  Work  Stoppages 

71  Sabotage 

•  Financial  Stability 

•  Customs  (Foreign  &  Domestic)  and  Border 
Issues 

•  Political  Instability 

•  Civil  Disturbance 
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SUPPLY  CHAIN  INFRASTRUCTURE 


Global  Procurement  Adds  Another 
Dimension  to  Control  and  Protection 

•  Import  Control 

•  U.S.  Government  Agency  Infrastructure  and 
Support  is  Limited 

•  Legal  Action  and  Enforcement  of  Contracts 
and  Purchase  Orders 

•  Political  and  Civil  Unrest 
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INFRASTRUCTURE  PROTECTION 


What  Can  and  Should 
Supply  Chain  Management  (SCM) 

be  Doing? 
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What  Should  SCM  Do? 


Recognize  the  Broad  Spectrum  of  the  Supply 
Chain  that  can  be  Affected 


Procurement 


Suppliers 
Domestic  &  Offshore 


Manufacturing 
Locations 


Distribution  &  Transportation 
CONUS  &  Imports 


Customers 


End  Users/War  Fighter 
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What  Shoyld  SCM  Do? 


•  Recognize  That  the  Supply  Chain  is 
Interconnected: 

71  There  are  Multiple  Exchanges  Along  the 
Continuum 

71  If  One  Piece  of  the  Supply  Chain  Link  is 
Harmed  or  Fails,  There  can  be  a  Major  Impact 

71  Trying  to  Protect  the  Entire  Supply  Chain  may 
be  Impractical  or  Impossible 

■  However,  the  Threats  and  Need  for  Protection 
cannot  be  Ignored 
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What  Should  SCM  Do? 


•  Recognize  There  is  a  Cost 

71  The  Cost  of  Supply  Chain  Security  is  Anticipated 
to  Exceed  $1 51 B,  Annually* 

7i  Cost  of  Prevention  Versus  the  Risk  of  Loss  is  a 
Difficult  Balance 

■  Is  There  A  Return  On  Invested  Capital  (ROIC)? 


*  “Five  Tenants  of  Security  -  Aware  Logistics  and  Supply  Chain  Operations”,  by  Dawn  M.  Russell 
and  John  Saladana  in  Transportation  Journal 
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What  Should  SCM  Do? 


What  Can  We  do  to  Protect 
the  Supply  Chain  and  Make  it 

More  Resilient? 
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What  Should  SOM  Do? 


Protection  and  Resiliency 

•  Catastrophic  Risk  Management  should  be  an 
Element  of  Business  Strategy 

•  Flexibility  and  Redundancy  must  be  Added  to 
the  Supply  Chain  in  Order  to  be  Proactive  When 
Disaster  Strikes 

7i  Cost  Issue 

•  Security  and  lanning  are  Key 
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What  Shoyld  SCM  Do? 


•  Preparedness  Should  be  a  Way  of  Thinking 

7i  Requires  Adoption  of  a  Security-Minded  Culture 

•  Program  Training,  Awareness,  and  Maintenance 
are  Essential  for  Execution 

7i  Must  Flow  Down 

•  A  FORMAL  PLAN  is  Needed 

71  How  to  Protect  Resources 
7i  How  to  Recover  Quickly 

•  A  Common  Guideline  or  International  Standard 
Needed? 
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What  Should  SCM  Do? 


Anticipate  and  Assess  Risk  Levels: 

•  With  Suppliers 

71  Alternate  Sources 

•  Transportation  Modes 

•  Warehousing 

•  Availability  of  Alternate  Work  Sites 

•  Threat  to  Intellectual  Property 

•  Allocation  of  Resources 

7i  Can  They  Work  Remotely? 
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What  Should  SOM  Do? 


•  IT  Solutions 

71  Data  Back  Up 

71  Manual  Approach 

■  Electronic  Purchase  Orders 

7i  Equipment  Availability 

■  Blackberry  Back  Up 

•  Telecommunications 

7i  Land  Lines  and  Cell  Phones 

•  Interdependency  Analysis 

•  Benchmark  Industry 
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What  Should  SCM  Do? 


Develop  an  Executable  Disaster  Business 
Continuity  and!  Recovery  Plan 

•  Focus  on  Safeguarding:  People,  Assets,  Financial 
Stability,  Customer  Deliverables 

•  Determine  How  to  Assure  Business  Continuity 

•  Identify  threat  Deterrents 

•  Development  of  Plan  Requires  Collaboration  with: 

71  Industrial  Security 
7i  IT  Support 
71  Human  Resources 
71  Operations/Manufacturing 

7i  Government  Agencies 
7i  Industrial  Supply  Base 
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What  Shoyld  SCM  Do? 


Crisis  Communication  and  Contact  Plan 

•  Need  Points  of  Contact  (POC)  that  are  Readily 
Available 

71  Suppliers 
7i  Internal 

■  Industrial  Security 

■  Human  Resources 

■  Operations/Manufacturing 

■  Leadership 
7i  Customers 

71  U.S.  Government  Agencies 
7i  Employees 

■  Key  Employees 

■  Cascading  Contact  Plan 
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What  Should  SCM  Do? 


•  Contact  Plan  Requires  POC  Information: 

71  Name  &  Title/Role/Responsibility 
71  Land  Line  Telephone  Number 
71  Cell  Phone  Number 
7i  Home,  if  Possible 
7i  Alternate  POC 
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What  Should  SCM  Do? 


•  Determine  How  Long  of  a  Downtime  Period  the 
Business  can  Sustain 

71  Number  of  Days/Weeks  by  Internal  Function  and/or 
Supplier 

•  Determine  Recovery  Time  Lines 

7i  Facility  Availability 
71  Resources 

7i  IT  and  e-Business  Systems  Operation 

■  MRP 

■  Electronic  Purchase  Orders 

■  Documentation  and  Release  Data 

■  Logistics  and  Routing 

■  Finance 
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What  Should  SCM  Do? 


Supply  Chain  Vulnerability  is  Underestimated.  So, 
What  can  We  do  with  the  Industrial  Supply  Base 
Beyond  Exchanging  POC  Information? 

•  Assess  Where  Weak  Links  may  be 

•  Require  Security  and  Preparedness  Plans  from 
Critical  Suppliers 

•  Encourage  Customs-Trade  Partnership  Against 
Terrorism  (C-TAPT)  Certification  or  Similar 
Involvement 

•  Review  Who  is  Involved  in  Their  Manufacturing  and 
Distribution  Chain 

7i  Lower  Tiers,  also 
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What  Shoyld  SCM  Do? 


•  Develop  Alternate  Suppliers  for  Critical  Items 

71  Offshore  Suppliers  Backed  up  by  Domestic 
Sources  or  from  Alternate  Low  Cost  Countries 

■  Utilize  3rd  Party  Advisory  Consultants  to  Validate 
Suppliers 

•  Have  Alternate  Freight  Carriers  and  Modes  of 
Transportation  Available 

•  Apply  Technology 

71  Radio  Frequency  Identification  (RFID) 

7i  Smart  Chips 


GENERAL  DYNAMICS 

Land  Systems 


Approved  for  Public  Release,  Distribution  Unlimited,  GDLS 
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What  Should  SOM  Do? 


Summary: 


•  Recognize  there  is  Cause  for  Action 

•  Collaboration  Between  Industry,  it’s  Supply  Base, 
and  U.S.  Government  Agencies  is  Mandatory 

•  Assess  Threats  and  Vulnerability 

•  Create  the  Plan,  Policies,  and  Procedures 

•  Assess  the  Level  of  Maturity  of  the  Plan  and  Execute 
Accordingly 

71  Implementation  is  Top  Down 

•  Monitor  and  Measure 


Access 


Implement  a  Plan 


Monitor 


GENERAL  DYNAMICS 

Land  Systems 
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DIB  CIP  CONFERENCE 


Questions 


GENERAL  DYNAMICS 

Land  Systems 
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THE  BUSINESS  OF  CYBER  VULNERABILITIES 


Aaron  Turner  -  CISSP,  CISM 

Idaho  National  Laboratory  &  I3  Partners 


Vulnerability  Growth:  2000-2007  ■  Vulnerability  Trends 


A  historical  view  of  the  volume  of  security  problems  that  'Ubiquitous  Applications'  like  Acrobat  and  Flash  are 

have  impacted  computing  systems  in  the  last  7  years.  providing  new  exploitation  opportunities. 


Vulnerability  Disclosures  by  Year 
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Severity  Increasing 


Increasing  attacker  efficiency  is  shown  in  the  number  and 
percentage  of  high-severity  vulnerabilities  that  can  be  used 
for  targeted  attacks. 
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Industry-wide  Problem 


Skilled  attackers  are  equal-opportunity  exploiters.  A  listing  of 
high-severity  vulnerabilities  from  2007  shows  just  how 
pervasive  the  problem  is. 


Vendor 

Vulnerabilities 

Percentage 

Microsoft 

148 

4.3% 

Novell 

132 

3.8% 

Red  Hat 

127 

3.7% 

Ubuntu 

115 

3.3% 

- 

Full  Point 

Increase 

vs  '06 

Apple 

110 

3.2% - 

Sun 

85 

2.5% 

PHP 

72 

2.1% 

Oracle 

68 

2.0% 

Cisco 

62 

1.8% 

Mozilla 

48 

1.4% 

VULNERABILITY  BUSINESS  OVERVIEW 


Vulnerability  Growth  2000  -  2007 


A  historical  view  of  the  volume  of  security  problems  that  have 


impacted  computing  systems  in  the  last  7  years. 
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Vulnerability  Trends 


'Ubiquitous  Applications'  like  Acrobat  and  Flash  are  providing 

new  exploitation  opportunities.  Potential  new 

"Search"  class 
of  vuln. 
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Severity  Increasing 


Increasing  attacker  efficiency  is  shown  in  the  number  and 
percentage  of  high-severity  vulnerabilities  that  can  be  used  for 
targeted  attacks. 

Vulnerabilities  by  CVSSv2  Severity 
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VULNERABILITY  BUSINESS  OVERVIEW 


Equal  Opportunity 


Skilled  attackers  are  equal-opportunity  exploiters.  A  listing  of 
high-severity  vulnerabilities  from  2007  shows  just  how  pervasive 
the  problem  is. 


Vendor 

Critical 

Vuln's 

% 

Microsoft 

148 

4.3% 

Novell 

132 

3.8% 

Red  Hat 

127 

3.7% 

Ubuntu 

115 

3.3% 

Apple 

110 

3.2% — 

Sun 

85 

2.5% 

PHP 

72 

2.1% 

Oracle 

68 

2.0% 

Cisco 

62 

1.8% 

Mozilla 

48 

1.4% 

Full  percentage 
point  increase 
since  '06 


VULNERABILITY  BUSINESS  OVERVIEW 


The  Economics  of  Vulnerabilities 


The  Vulnerability  Market 


An  underground  economy  has  been  established  for  the 
production,  distribution,  exchange  and  purchase  of 
vulnerabilities 

As  with  any  economic  system,  the  attacker  community 
has  succeeded  in  discovering  efficiencies  through 
specialization  of  labor 

•  Vulnerability  Factories 

•  Vulnerability  Wholesalers 

•  Vulnerability  Transporters 

•  Vulnerability  Consumers 
Examples: 

•  76service.com 

•  Executive  Phishing  Services 


In  2006,  a  complex  vulnerability  was  discovered  through 
telemetry  from  Microsoft's  sensor  networks. 

Through  further  investigation,  it  was  determined  that  the 
level  of  effort  required  to  research  the  vulnerability  and 
develop  the  exploit  would  have  required  significant  effort 
and  manpower.  Within  weeks  of  the  targeted  attack,  the 
exploit  was  seen  for  sale  within  underground  economy 
channels. 


Leading  Vulnerability  Economies:  %  of  Vulnerabilities  to  #  of  Total  Estimated  Computer  Users  by  Country 
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TODAY'S  VULNERABILITY  ECONOMY 


Special  Thanks  to: 


Jeff  R.  Jones,  Senior  Security  Strategist,  Microsoft  Corporation 


All  Vulnerability  Data  Referenced  from: 


Microsoft  Security  Intelligence  Report 

http://www.microsoft.conn/sir 


Additional  Resources 


Search  Vulnerability: 

-  http://www.usatodav.com/rnonev/inclustries/technologv/2008-03-31-iavascript- 

hackers  N.htm 

76service.com 

-  ittp://www.cio.com/article/135500/2 

Executive  Phishing  Services 

-  http://www. informationweek.com/news/showArticle. jhtml?articlelD=206103681 


Contact  Information 


aaron@i3partners.org 
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Agenda 


POLICY 


□  The  Challenges  We  Face 

□  The  National  Security  Environment 

□  DoD  Preparedness  &  Response 

>  Physical 

>  Cyber 

□  Conference  Challenge 
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Welcome 


The  DIB  is  a  worldwide  industrial  complex  with  capabilities 
to  develop  and  maintain  military  weapons  systems  to  meet 
military  requirements 

□  +250,000  Defense  Industrial  Base  (DIB)  Sites  worldwide 

□  DIB  is  critical  to  our  nation  and  the  war  fighter 

□  DIB  assets  support  DoD  missions 

□  Vital  to  the  DoD  execution  of  the  National  Military  Strategy 

□  Our  collective  efforts  make  a  difference  in  war  fighter’s  lives  and 
missions 


DoD  values  your  contributions  to  maintain 
technologically  superior,  resilient  industrial  capabilities  to 

preserve  our  nation’s  security. 
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POLICY 


National  Security  Environment- 

Security  Assessment 


Nation-state  threats  will  continue 

□  “Traditional”  ballistic  and  cruise  missile  thre 

□  Rogue  states  employing  asymmetric  means 

>  Both  cyber  and  physical 


□  Potential  emergence  of  a  regional  peer  competitor 


Natural  Hazards 

□  Earthquake 

□  Flood,  Tsunami 

□  Wildfire 

□  Health  and  Disease 

Transnational  threats  will  be  the  most  pressing 

□  Terrorists  will  seek  to: 

>  Attack  Americans  and  Western  Allies  at  home  and  abroad 

>  Inflict  mass  casualties  or  cause  mass  panic  through  CBRN  means  (e.g.,  CBRN 
weapons  or  conversion  of  civilian  infrastructure  or  transport  into  WMD) 
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Challenges 


POLICY 


□  Collaboration 

>  Partnership,  shared  responsibility,  and  Trust  engendered  by 
partnership 

>  Information  sharing  and  protection 

>  Threat  and  warning  information  sharing 

□  HUMINT  (Insider  threat) 

□  Physical  Threats  and  Hazards 

□  Cyber  Security 


“Each  of  us  has  an  extremely  important  role  to  play  in  protecting  the  infrastructures 
and  assets  that  are  the  basis  for  our  daily  lives  and  that  represent  important 
components  of  our  national  power  and  prestige.  The  success  of  our  protective  efforts 

requires  close  cooperation  between  government  and  the  private  sector  at  all  levels.  " 

-  President  George  W.  Bush 
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Mission  Assurance  Concept 


POLICY 


□  Improve  DoD’s  ability  to  execute  its  Mission  Essential  Functions  in 
a  stressed  environment  through  integrating  key  programs  & 
activities 

□  Comprehensively  evaluate  risk  to  DoD  missions,  including  the 
unintended  consequences  of  base  consolidation  &  realignment 

□  Enable  Senior  Leader’s  ability  to  refine  mission-related  policies, 
plans,  programs,  resources,  and  activities,  and  more  productively 
link  policy  decisions  to  operational  requirements  through: 

>  Organizational  Effectiveness 

>  Funding  Efficiencies  -  Making  better  informed  resource  allocation 
(e.g.  budgetary)  decisions  that  increase  oversight  and  accountability 

>  Compliance  -  Coordinating  and  consolidating  Measures  of 
Effectiveness  (MOEs) 


Mission  Assurance  is  an  integrating  concept  NOT  a  change  of 

ownership! 


Mission  Assurance  -  A  Value  Proposition 


POLICY 


Organizational  Effectiveness 

□  Improves  relations  among 
segregated  elements  of  an 
organization 

Integrates  disparate 
elements 

Improves  operational 
efficiency  and  mission 
effectiveness 


□ 


□ 


Funding  Efficiencies 

□  Improves  cost  control 

□  Improves  access  to  funds 
through  prioritized  justification 
of  needs 

□  Prioritizes  funding  and 
resource  allocation 


rganizational 
Effective  nes 

(Policy  & 
Planning) 


Funding 

□ 

Efficiencies 

(Resources)  / 

□ 

□ 

Compliance 

Assures  commitment 
throughout  organization 

Enhances  readiness 

Establishes  governance 
process  internal  to  the 
organization 

Accounts  for  applicable 
legislative  requirements 
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:  J  Strategy  for  Defense  Critical  Infrastructure 

POLICY  — 

□  Articulates  DoD’s  risk  management 
approach  required  for  ensuring  the 
availability  of  assets  deemed  essential  to 
the  successful  completion  of  DoD  missions 
in  an  all-threat,  all-hazard  environment 

□  Defines  through  stated  goals  &  objectives 
how  DoD  will  protect  Defense  Critical 
Infrastructure  (DCI)  to  achieve  mission 
assurance 

>  Goal  1:  Provide  DCIP  policy  and 
program  guidance 

>  Goal  2:  Foster  DCIP  strategic 
partnerships  and  enabling  technologies 

>  Goal  3:  Integrate  and  implement  DCIP  plans, 
capabilities  at  all  levels 

>  Goal  4:  Facilitate  DCIP  resourcing  at  all  levels 

>  Goal  5:  Promote  DCIP  education  and  outreach 


Strategy  for 
Defense  Critical 
Infrastructure 


programs,  and 


DCIP  Strategic  Policy  Timeline 


DCIP  Benchmarks  &  Interim  Implementation  DIB  Sector  Geospatial 
Standards  Guidance  (IIG)  Specific  Plan  Data  Strategy 

NIPP  I  I 


DCIP  Security 
Classification  Guide  (SCG) 


1 


III 


12  May 


Infrastructure  Resiliency  DCIP  Standards 
Guide  (IRG)  &  Benchmarks 

DIB  Sector  (Update) 

DIB  SSP  |  Annual  Report  J 

1  .  _ 


MAY 


15  May  JUN 


7  Jun 


BEI  for  DCIP  TCAs 


DODI  3020. nn 


i 


i 


Remediation 
Planning  Manual 


DCA  Risk  Decision 
Manual 


i 


1 


12  Mar  18  Mar 


T 


T 


T 


t 

Strategy  for  DC  I 


CAIP  Manual 


Threat  Assessment 
Manual 


Security 

Classification 

Manual 
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Partnering 


POLICY 


□  Partnering  Leads  to  Real  Success 

>  Rotating  electrical  equipment  /  control  system  vulnerability 

>  CIP-MAA  assessment  visits  -  information  for  owner/operator  use 

>  BZPP  provided  resources  to  improve  first  responder  capabilities 

>  Providing  security  awareness  training  for  DIB  partners 

□  Government  and  Private  Sector 

>  Team  effort  to  produce  the  Sector  Specific  Plan  -  continues  to 
grow 

•  CIPAC  public  /  private  working  group  on  Goals  and  Objectives 

•  CIPAC  public  /  private  working  group  on  cyber  security 

>  DCMA  and  DHS  Protection  Security  Advisor  visits 

□  Canadian  Dept  of  National  Defence  (DND) 

>  Establishing  mutual  awareness  and  assessment  program  (e.g. 
Joint  Strike  Fighter) 
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Partnering  Efforts 


POLICY 


□  DoD-DIB  Information  sharing 

>  Providing  best  practices,  expertise  and  information 

□  DoD-DIB  collaboration  on  response  actions 

>  Response  actions 

>  Self-assessments 

□  Protected  Critical  Infrastructure  Information  (PCII) 

>  Protects  voluntarily  submitted  critical  infrastructure  information  (CM) 
from  public  release  under  FOIA,  civil  litigation,  and  state  and  local 
“sunshine”  laws. 

>  ASD  (HD&ASA)  continues  to  pursue  DoD  accreditation  under  this 
program. 


Leverage  trust  for  two-way  communication  and  share 
information  for  a  shared  purpose  -  assured  availability 


Cyber  Threat 


POLICY 


□  Hostile  nations  still  pose  a  cyber  threat  to 
the  United  States  because  they  have  the 
intent  and  technological  capabilities  to  do 
so. 


□  A  cyber  attack  could  substantially  impact  a 
number  of  sectors  in  the  United  States, 
including  agriculture,  emergency  response 
and  preparedness  systems,  transportation, 
energy,  health  care,  financial  services,  and 
telecommunications. 


Cyber  Attacks  are  a  REAL  and  EMERGING  National 

Security  Threat 
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Cyber  Security 


POLICY 


□  Cyber  Security  is  a  National  Effort 

>  DHS  is  lead  agency  for  domestic  cyber  security 

>  DoD  will  fully  support  national  efforts  with  policy  coordination,  information 
sharing,  and  technology  transfer 

□  DepSecDef  directed  USD(P)  to  lead  Cyber  Security  Task  Force 

>  Chartered  to  implement  NSPD-54/HSPD-23,  Cyber  security  Policy 

>  DoD  members  include  Nil,  SOLIC,  ATL,  J5,  Air  Staff,  and  JTF-GNO 

>  Interagency  partners  include  DHS,  DOJ,  OTSP,  DNI,  and  NSA 

□  ASD  HD&ASA  has  DoD  DCIP  mission  oversight  and  policy 
responsibility 

>  Lead  cyber  security  coordinator  for  DoD 

>  Best  positioned  to  interface  with  the  interagency  and  leverage  existing 
capabilities  and  competencies  within  DoD 


Provide  unity  of  effort  across  the  Department  and  coordinate  with 
interagency  partners  to  improve  nationai  security  against  the  full 

spectrum  of  cyber  threats 


Conference  Challenge 

POLICY 

□  What  do  you  perceive  as  the  greatest  threats  to  CI/KR  IT 
and  communications  networks? 

□  What  are  gaps  and  barriers  to  effective  bi-directional 
information  sharing? 

□  What  types  of  information  sharing  are  existing  public- 
private  partnerships  and  structures  best  at  addressing? 

□  How  can  we  share  best  practices,  products,  and 
standards? 

□  What  existing  and  emerging  technologies  do  you  believe 
are  most  essential  to  enhanced  CI/KR  network  security? 
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2008  DIB  Critical  Infrastructure  Protection 
Conference  &  Technology  Exhibition 


QUESTIONS? 


VVE’RE  AT  WAR 


ARE  YOU  DOING 
ALL  YOU  CAN? 


